Vba2Graph- A Tool For Security Researchers For Malware Analysis







Vba2Graph- A Tool For Security Researchers For Malware Analysis



Vba2Graph: A tool for security researchers to Analysis of Malware.



Allows for quick analysis of malicious macros, and easy understanding of the execution flow.


It Generates a VBA call graph for easier analysis of malicious documents., developed by @MalwareCantFly



Features



  • Keyword highlighting

  • VBA Properties support

  • External function declarion support

  • Tricky macros with “_Change” execution triggers

  • Fancy color schemes



Pros


    ✓ Pretty fast


    ✓ Works well on most malicious macros observed in the wild




Cons


    ✗ Static (dynamicaly resolved calls would not be recognized)



Examples


Example 1:


Trickbot downloader – utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.




Example 2:





Installation



Install oletools:


https://github.com/decalage2/oletools/wiki/Install



Install Python Requirements


pip install -r requirements.txt



Install Graphviz


For Windows
Install Graphviz msi:


https://graphviz.gitlab.io/_pages/Download/Download_windows.html


Add “dot.exe” to PATH env variable or just:


set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin


For Mac
brew install graphviz


Ubuntu
sudo apt-get install graphviz


Arch
sudo pacman -S graphviz




Usage (All Platforms)


olevba malicious.doc | python vba2graph.py -c 1


python vba2graph.py -i olevba_output.bas -o output_folder



Output


You’ll get 3 folders in your output folder:


  • png: the actual graph image you are looking for

  • dot: the dot file which was used to create the graph image

  • bas: the VBA functions code that was recognized by the script (for debugging)



Batch Processing


Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.


Deletes output dir. use with caution.


Download Vba2Graph



Vba2Graph- A Tool For Security Researchers For Malware Analysis Vba2Graph- A Tool For Security Researchers For Malware Analysis Reviewed by Unknown on 6:25 PM Rating: 5

No comments:

Powered by Blogger.

Action Required

Sorry !!Friends We are Earn Some Money from Ads and Manage Our Site.If You Like To Support US Please Disable ADS Blocker and Continue Reading. Thank You

×

Thank 4R Your Support